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CLAIMS: 



1 . A method of generating an Authorized Domain (AD), the method comprising 
the steps of 

- selecting a domain identifier (DomainJD) uniquely identifying the Authorized 
Domain (100), 

5 - binding at least one user (PI, P2, . . ., PNi) to the domain identifier (DomainJD), and 

- binding at least one device (Dl , D2, . . ., DM) to the domain identifier (DomainJD), 
and 

thereby obtaining a number of devices (Dl, D2, . . ., DM) and a number of 
persons (PI, P2, PNi) that is authorized to access a content item of said Authorized 
10 Domain (100). 

2. A method according to claim 1, characterized in that the method further 
comprises the step of: 

- binding at least one content item (CI , C2, . . CN 2 ) to the Authorized Domain (AD) 
1 5 given by the domain identifier (DomainJD). 

3. A method according to claims 1-2, characterized in that the step of binding at 
least one user (PI, P2, . . ., PNi) to the domain identifier (DomainJD) comprises: 

- obtaining or generating a Domain Users List (DUC) comprising the domain identifier 
20 (DomainJD) and a unique identifier (PersJDl , Pers JD2, . . PersJDNi) for a user 

(PI , P2, . . ., PNi) thereby defining that the user is bound to the Authorized Domain 
(100), 
and/or in that 

the step of binding at least one device (Dl , D2, . . ., DM) to the domain 
25 identifier (DomainJD) comprises: 

- obtaining or generating a Domain Devices List (DDC) comprising the domain 

identifier (DomainJD) and a unique identifier (Dev.IDl, Dev.ID2 Dev.IDM) for 

a device (Dl, D2, . . ., DM) thereby defining that the device is bound to the domain 
(100). 
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4. A method according to claims 2-3, characterized in that the step of binding at 
least one content item (CI, C2, CN 2 ) to the Authorized Domain (AD) comprises: 

- binding a content item (CI , C2, . . CN 2 ) to a User Right (URC1 , URC2, . . . URCN 2 ), 
5 where said User Right (URC1, URC2, . . . URCN 2 ) is bound to a user (PI , P2, . . ., 

PNi) bound to the Authorized Domain (100), and/or 

- binding a content item (CI, C2, . . ., CN 2 ) to a Device Right (DevRC), where said 
Device Right (DevRC) is bound to a device (Dl, D2, . . ., DM) bound to the 
Authorized Domain (1 00). 

10 

5. A method according to claims 2-4, characterized in that the step of binding at 
least one content item (CI, C2, CN 2 ) to the Authorized Domain (100) comprises: 

- binding a content item (CI, C2, CN 3 ) to a Domain Right (DRC1, DRC2, ... 
DRCN 2 ), where said Domain Right (DRC1, DRC2, . . . DRCN 2 ) is bound to the 

1 5 Authorized Domain (1 00). 

6. A method according to claims 4 or 5, characterized in that the User Right 
(URC) or the Device Right (DevRC) or the Domain Rights (DRC) comprises rights data 
(Rghts Dat) representing which rights exists in relation to the at least one content item (CI, 

20 C2, . . ., CN 2 ) bound to the User Right (URC) or the Device Right (DevRC) or the Domain 
Rights (DRC). 

7. A method according to any one of the previous claims, characterized in that 
the method further comprises the step of controlling access to a given content item bound to 

25 the Authorized Domain (100) by a given device being operated by a given user, the step 
comprising: 

- checking if the given user is bound to the same Authorized Domain (100) as the given 
content item, or 

- checking if the given device is bound to the same Authorized Domain (100) as the 
30 given content item, 

and allowing access for the given user via the given device and/or other 
devices to the content item if the given user is bound to the same Authorized Domain (100), 

or allowing access for the given user and/or other users via the given device to 
the content item if the given device is part of the same Authorized Domain (100). 
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8. A method according to any one of claims 1 - 6, characterized in that the 
method further comprises the step of controlling access to a given content item (CI, C2, 
CN 2 ), being bound to the Authorized Domain (100) and having a unique content identifier 

5 (ContJQD), by a given device being operated by a given user comprising: 

- checking if the Domain Devices List (DDC) of the Authorized Domain (1 00) 
comprises an identifier (Dev.ID) of the given device, thereby checking if the given 
device is bound to the same Authorized Domain (100) as the content item, and/or 

- checking if the Domain User List (DUC) of the Authorized Domain (100) comprises 
10 an identifier (PersJD) of the given user (PI, P2, PNi) thereby checking if the 

given user is bound to the same Authorized Domain (100) as the content item, 

- and allowing access to the given content item (CI , C2, . . ., CN 2 ) by the given device 
(Dl, D2, DM) for any user if the given device is bound to the same Authorized 
Domain (100) as the content item being accessed, and/or 

15 - allowing access to the given content item (CI, C2, CN 2 ) by any device including 

the given device for the given user if the given user is bound to the same Authorized 
Domain (100) as the content item being accessed. 

9. A method according to claims 7-8, characterized in that the step of 
20 controlling access of a given content item further comprises: 

- checking that the User Right (URC) for the given content item specifies that the given 
user (PI, P2, PNi) has the right to access the given content item (CI, C2, CN 2 ) 
and only allowing access to the given content item (CI, C2, . . ., CN 2 ) in the 
affirmative. 

25 

10. A method according to claims 1-9, characterized in that every content item is 
encrypted and that a content right (CR) is bound to each content item and to a User Right 
(URC) or a Device Rights (DevRC) or a Domain Rights (DRC), and that the content right 
(CR) of a given content item comprises an decryption key for decrypting the given content 

30 item. 

11. A method according to claims 3-10, characterized in that 

- the Domain Users List (DUC) is implemented as or included in a Domain Users 
Certificate, and/or 
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- the Domain Devices List (DDC) is implemented as or included in a Domain Devices 
Certificate, and/or 

- the User Right (URC1, URC2, . . ., URCN 2 ) is implemented as or included in a User 
Right Certificate, and/or 

5 - the Device Right (DevRC) is implemented as or included in a Device Right 

Certificate, and/or 

- the Domain Rights (DRC1, DRC2, DRCN 2 ) is implemented/included in a Domain 
Rights Certificate. 



10 12. A system for generating an Authorized Domain (AD), the system comprising: 

- means for obtaining a domain identifier (Domain_JD) uniquely identifying the 
Authorized Domain (100), 

- means for binding at least one user (PI, P2, . . ., PNi) to the domain identifier 
(Domain ED), and 

15 - means for binding at least one device (Dl, D2, DM) to the domain identifier 

(Domain_ID), and 

thereby obtaining a number of devices (Dl, D2, . . ., DM) and a number of 
persons (PI, P2, PNi) that is authorized to access a content item of said Authorized 
Domain (100). 



20 



25 



13. A system according to claim 1, characterized in that the system further 

comprises: 

- means for binding at least one content item (CI, C2, CN 2 ) to the Authorized 
Domain (AD) given by the domain identifier (Domain_JD). 



14. A system according to claims 12-13, characterized in that the means for 

binding at least one user (PI, P2, PNi) to the domain identifier (DomainJD) is adapted 
to: 

- obtain or generate a Domain Users List (DUC) comprising the domain identifier 
30 (Domain_ID) and a unique identifier (PersJDl, PersJD2, ., PersJDNi) for a user 

(PI, P2, PNi) thereby defining that the user is bound to the Authorized Domain 
(100), 
and/or in that 



WO 2005/010879 



PCT/IB2004/051226 



PHNL030926 PCT/IB2004/051 226 

23 

the means for binding at least one device (Dl, D2, DM) to the domain 
identifier (Domain JD) is adapted to: 

- obtain or generate a Domain Devices List (DDC) comprising the domain identifier 
(DomainJD) and a unique identifier (Dev.IDl, Dev.ID2, Dev.IDM) for a device 

5 (Dl, D2, DM) thereby defining that the device is bound to the domain (100). 

15. A system according to claims 13-14, characterized in that the means for 
binding at least one content item (CI, C2, CN 2 ) to the Authorized Domain (AD) is 
adapted to: 

10 - bind a content item (CI, C2, CN 2 ) to a User Right (URC1, URC2, ... URCN 2 ), 

where said User Right (URC1 , URC2, . . . URCN 2 ) is bound to a user (PI, P2, . . ., 
PNi) bound to the Authorized Domain (100), and/or 

- bind a content item (CI, C2, . . ., CN 2 ) to a Device Right (DevRC), where said Device 
Right (DevRC) is bound to a device (Dl, D2, DM) bound to the Authorized 

15 Domain (100). 

16. A system according to claims 13-15, characterized in that the means for 
binding at least one content item (CI, C2, CN 2 ) to the Authorized Domain (100) is 
adapted to: 

20 - bind a content item (CI, C2, CN 3 ) to a Domain Right (DRC1, DRC2, ... DRCN 2 ), 

where said Domain Right (DRC1, DRC2, ... DRCN 2 ) is bound to the Authorized 
Domain (100). 

17. A system according to claims 15 or 16, characterized in that the User Right 
25 (URC) or the Device Right (DevRC) or the Domain Rights (DRC) comprises rights data 

(Rghts Dat) representing which rights exists in relation to the at least one content item (CI, 
C2, . . CN 2 ) bound to the User Right (URC) or the Device Right (DevRC) or the Domain 
Rights (DRC). 

30 18. A system according to claims 12 - 17, characterized in that the system further 

comprises means for controlling access to a given content item bound to the Authorized 
Domain (100) by a given device being operated by a given user, where the means is adapted 
to: 
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- check if the given user is bound to the same Authorized Domain (100) as the given 
content item, or 

- check if the given device is bound to the same Authorized Domain (100) as the given 
content item, 

5 and allow access for the given user via the given device and/or other devices 

to the content item if the given user is bound to the same Authorized Domain (100), 

or allow access for the given user and/or other users via the given device to the 
content item if the given device is part of the same Authorized Domain (100). 

19. A system according to any one of claims 12-17, characterized in that the 
system further comprises means for controlling access to a given content item (CI, C2, 
CN 2 ), being bound to the Authorized Domain (100) and having a unique content identifier 
(ContJD), by a given device being operated by a given user, where the means is adapted to: 

- check if the Domain Devices List (DDC) of the Authorized Domain (100) comprises 
an identifier (Dev.ID) of the given device, thereby checking if the given device is 
bound to the same Authorized Domain (100) as the content item, and/or 

- check if the Domain User List (DUC) of the Authorized Domain (100) comprises an 
identifier (PersJD) of the given user (PI, P2, . . ., PNi) thereby checking if the given 
user is bound to the same Authorized Domain (100) as the content item, 

- and allow access to the given content item (CI, C2, . . ., CN 2 ) by the given device (Dl, 
D2, . . ., DM) for any user if the given device is bound to the same Authorized Domain 
(100) as the content item being accessed, and/or 

- allow access to the given content item (CI , C2, . . ., CN 2 ) by any device including the 
given device for the given user if the given user is bound to the same Authorized 
Domain (100) as the content item being accessed. 

20. A system according to claims 18-19, characterized in that the means for 
controlling access of a given content item is further adapted to further: 

- check that the User Right (URC) for the given content item specifies that the given 
30 user (PI, P2, PNi) has the right to access the given content item (CI, C2, CN 2 ) 

and only allowing access to the given content item (CI, C2, . .., CN 2 ) in the 
affirmative. 
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21 . A system according to claims 12-20, characterized in that every content item 
is encrypted and that a content right (CR) is bound to each content item and to a User Right 
(URC) or a Device Rights (DevRC) or a Domain Rights (DRC), and that the content right 
(CR) of a given content item comprises an decryption key for decrypting the given content 

5 item. 

22. A system according to claims 24 - 21, characterized in that 

- the Domain Users List (DUC) is implemented as or included in a Domain Users 
Certificate, and/or 

- the Domain Devices List (DDC) is implemented as or included in a Domain Devices 
Certificate, and/or 

- the User Right (URC1, URC2, URCN 2 ) is implemented as or included in a User 
Right Certificate, and/or 

- the Device Right (DevRC) is implemented as or included in a Device Right 
Certificate, and/or 

- the Domain Rights (DRC 1 , DRG2, . . . , DRCN 2 ) is implemented/included in a Domain 
Rights Certificate. 

23. A computer readable medium having stored thereon instructions for causing 
20 one or more processing units to execute the method according to any one of claims 1 — 11. 
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